Ziplocked docs: Not yet in the bag

AirZip is showcasing document protection software that does what end-to-end encryption can't: control documents at the receiving end. But Tiffany Kary says the program might not be air-tight.

While security incumbents like Network Associates and VeriSign debated the big issues of enterprise security in under-attended keynotes at Comdex Fall 2002, smaller companies took the floor (literally--several big players opted for hotel suites over booths this year) with innovative new solutions.

One of those companies is AirZip, a San Jose-based company that has previously specialized in speeding up document delivery.

AirZip announced Tuesday two new products that approach security from the inside out. AirZip Document Secure and AirZip Website Secure are part of what the company refers to as a "persistent" security solution.

AirZip Document Secure uses 256-bit AES encryption to do what traditional end-to-end encryption can't: it controls the document at the receiving end. By specifying access rules for an Adobe or Microsoft document through Microsoft Outlook, the sender has control of the document no matter where it goes, and regardless of whether it is used online or off. The sender can control when the document is viewed, and who the recipient can forward it to. Commands like print screen and cut-and-paste can be disabled, as can the capture of screenshots in Photoshop and PrintShop. AirZip Document Secure even protects against newer programs that can be downloaded, like SnagIt. It also updates permissions in real-time, as soon as a user is online. No VPN access or launch of Outlook required. The company has thought of everything, or so it seems.

The one weak spot is that the system relies on a password. Should the recipient decide to forward a "controlled" document to an unauthorized recipient who also has AirZip installed, all that person needs to access the document is to be told the password. So much for air-tight security.

It seems like an egregious oversight for a company that touts its product as a solution to disgruntled employees and other internal threats.

Not so, says CEO Lee Bauman. Though Gartner estimates that 70 percent of unauthorized access to information is by employees, most of that comes from unintentional forwarding, and plain old inattention, according to Bauman.

Nevertheless, "a company should have other methods if they're that concerned about the information," he said. Bauman also says the offender wouldn't get far, since the software creates an audit trail, and the sender would know immediately what had happened, and could turn off forwarding capabilities altogether. The product also has other useful applications, like letting senders control what version of a document is being used--something that comes in handy for marketing staff who might not always track the latest pricing changes or policy shifts. When sending a newer version of a document, the sender can disable the old version, ensuring that old documents aren't still floating around.

AirZip's Web product, AirZip Website Secure, addressed the problem of Web content being copied, altered, becoming out-of-date, or saved without company permission. The company can protect information like product and price information by making it view-only, and preventing save or screen capture.

There appears to be a small oversight here for the crafty corporate spy as well though. The camera.

AirZip Document Secure retails for $100 per client with a $10,000 minimum. That includes a client software that sits on a PC or laptop, and server software. The Web product is $6,000. Both can be integrated with the company's delivery acceleration products, which use compression to deliver documents up to 800 percent faster.

Does AirZip sound secure enough to protect your documents? TalkBack below or e-mail us with your thoughts.